rtc: tps65910: fix possible race condition

[ Upstream commit e6000a438e534ee0afd9e83b67f4e23a26dd1067 ]

The IRQ is requested before the struct rtc is allocated and registered, but
this struct is used in the IRQ handler. This may lead to a NULL pointer
dereference.

Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
before requesting the IRQ.

Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/rtc/rtc-tps65910.c b/drivers/rtc/rtc-tps65910.c
index d0244d7..a56b526 100644 (file)
--- a/drivers/rtc/rtc-tps65910.c
+++ b/drivers/rtc/rtc-tps65910.c
@@ -380,6 +380,10 @@ static int tps65910_rtc_probe(struct platform_device *pdev)
        if (!tps_rtc)
                return -ENOMEM;
 
+       tps_rtc->rtc = devm_rtc_allocate_device(&pdev->dev);
+       if (IS_ERR(tps_rtc->rtc))
+               return PTR_ERR(tps_rtc->rtc);
+
        /* Clear pending interrupts */
        ret = regmap_read(tps65910->regmap, TPS65910_RTC_STATUS, &rtc_reg);
        if (ret < 0)
@@ -421,10 +425,10 @@ static int tps65910_rtc_probe(struct platform_device *pdev)
        tps_rtc->irq = irq;
        device_set_wakeup_capable(&pdev->dev, 1);
 
-       tps_rtc->rtc = devm_rtc_device_register(&pdev->dev, pdev->name,
-               &tps65910_rtc_ops, THIS_MODULE);
-       if (IS_ERR(tps_rtc->rtc)) {
-               ret = PTR_ERR(tps_rtc->rtc);
+       tps_rtc->rtc->ops = &tps65910_rtc_ops;
+
+       ret = rtc_register_device(tps_rtc->rtc);
+       if (ret) {
                dev_err(&pdev->dev, "RTC device register: err %d\n", ret);
                return ret;
        }